Thank you for your reply. I have also looked over the replies to Micha. Can you please confirm I understand correctly

COs will be given a full set of iKeys.
RKSHs will only be given Domain and CO cards
Domain cards will be 5 out of 7
All other cards will be 3 out of 7
The backup will now be on a different HSM

I have a few additional questions

In my first email I asked the question:
What credentials will be required to apply existing cards to a new HSM?
by this I was referring to transferring the new credentials (Domain, Audit, CO, SO) between all of the different Thales Luna HSMs 

In your reply to Micha you state that new HSMs are to be added every two to three years. However looking at the previous scripts quite a few of the recent ones involve new HSMs. Is this just to do with the lifecycle of the originals?

Finally I notice that KSK Ceremony 53 is split into two parts. Will the second part (Introducing the new HSMs) be live streamed the same way as the normal ceremony?

I apologise for all the questions but it doesn't help that I only started learning about DNSSEC and the KSK about 3 months ago.

Kind Regards,

Will